1. Field of the Invention
The present invention relates to the field of data encryption using a symmetric algorithm, more particularly the Advanced Encryption Standard (AES) algorithm. The present invention relates to a circuit and method of encryption in a combined counter and CBC-MAC mode (CCM).
The present invention applies to secured data transmission, more particularly to secured wireless networks.
2. Background of the Invention
Network security related to wireless local area networks (WLANs), for example according to 802.11 (n or i) standards, wireless USB etc., generally requires encryption according to the Advanced Encryption Standard, implemented in CCM mode. The CCM mode provides both privacy, as well as data integrity. To achieve data privacy, data is encrypted using a secret key known to the transmitting and receiving network nodes. Data integrity is ensured by generating a tag (message authentication code—MAC) based on the data to be transmitted, and then recalculating the tag at the receiving end to ensure that data has not been corrupted.
Messages to be transmitted are in the form of data packets. Each packet comprises a header giving information such as the destination address of the data and additional authenticated data which can be used, for example, for authentication of packet header, and a payload. The packet header and any additional authenticated data (grouped hereafter under the name header) are not encrypted as they are used for routing the packet to its destination in the network. However, the header is taken into account to compute the tag. The payload is both encrypted and used to generate the tag, which is also usually encrypted.
FIG. 1A is a block diagram illustrating a conventional example of a process 100 for encrypting data packets in counter mode. Header and payload are organized in groups (blocks) of bits the size of which depends on the processing granularity of the process. The example of FIG. 1 illustrates the case when there are four payload data blocks of plain text P1 to P4 to be processed, however the process can be expanded to process any required number of data blocks. Each data block P1 to P4 is combined (XOR gates 112, 114, 116 and 118) with an encryption sequence S1 to S4 to produce four blocks of cipher text C1 to C4. Sequences S1 to S4 are generated by encrypting (steps 122, 124, 126 and 128—algorithm E) different nonce values N1 to N4 with the same secret key K. In counter mode, the successive nonce values N2 to N4 are obtained by incrementing (steps 134, 136 and 138) a first nonce N1 corresponding to an initialization value IV (for example, zero) of a counter. Encryption in counter mode is preferred to an encryption in cipher block chaining as the algorithm E can be applied (calculated) before receiving the data block.
In a hardware implementation of the encryption to which the present, invention applies, a single unit (logic computation core) implementing the algorithm E is successively loaded with a result value of a counter incremented for each new data block P1 to P4 and the result provided by this unit is linked to a first input of an XOR gate the second input of which receives the current data block. At each data block, the key K is provided to the unit.
FIG. 1B is a block diagram illustrating a conventional example of a process 200 for computing, according to a cipher block chaining (CBC) method, data integrity data in the form of a tag. For data integrity, both the header and the payload have to be processed. For simplicity, it is assumed that a data block P0 is the header of a packet comprising payload data blocks P1 to P4. Each data block P1 to P4 is combined (XOR gates 212, 214, 216 and 218) with the result of the application of a same encryption algorithm E (steps 222, 224, 226 and 228) to the former data block. A first data block (here, the header P0) is combined (XOR gate 210), before encryption (block 220), with an initialization value IV′ (for example zero). The result of the encryption (output of step 228) of the last data block P4 of the packet provides the message authentication code or tag. The ciphering key K is the same for each computation of the algorithm E.
For implementing the counter mode, a single logic core computing the algorithm E is used for a hardware implementation of the CBC-MAC. This single core is successively loaded by the output of a circuit forming an XOR gate, a first input of which successively receives the initialization value IV′ and the successive results of the algorithm when a second input receives the successive data blocks P0 to P4. Again, at each data block, the key K is provided to the circuit.
FIG. 2 illustrates in a schematic form a conventional example of a process for combining the counter mode and the CBC-MAC computation in order to provide both privacy and integrity.
Assuming a message (in the form of data packet) comprising r+1 data blocks B0 to Br including h+1 blocks B0 to Bh representing the packet header (and additional authenticated data), which are not to be encrypted and r−h payload data blocks Bh+1 to Br to be encrypted. All the blocks are processed according to the process 200 (CBC-MAC) of FIG. 1B to generate a tag. The payload data blocks are processed a second time according to the counter mode process 100 of FIG. 1A to obtain ciphered blocks CBh+1 to CBr. The first h+1 blocks B0 to Bh are sent over the network with the r−h ciphered blocks CBh+1 to CBr and the tag CTAG (usually ciphered using the counter mode).
By recalculating the tag at the destination based on the decrypted blocks, and comparing this to the transmitted tag, the data integrity of the received packet can be checked. The key K and the initialization values IV and IV′ have to be known by the receiver. Therefore choosing zero for the IV's avoids the need to transmit them.
According to the method described above, every part of the payload of a message to be transmitted is processed twice, once for encryption and a second time for data integrity. Known hardware implementations provide a single computing core, surrounded by suitable logic and registers such that it can be used once for encryption and then for data integrity. Whilst the header of each packet need only be processed for the generation of the tag, it is the payload of the packet that forms the majority of the data in each packet, and thus the throughput is limited by two full processing cycles of the payload of each packet. This solution is thus disadvantageous in that it is slow and inefficient at performing the required algorithm.
This drawback is particularly present for encryption algorithms using a key schedule (for example, the AES algorithm), i.e. according to which, for each block to be processed, sub-keys are generated from a key K and are successively used in rounds of an iterative process. In such algorithms, computation time of the CCM mode encryption can be critical for the rate of transmission of the data.
An example of the known method described above applied to the AES is disclosed in “FPGA Implementation AES for CCM Mode Encryption Using Xilinx Spartan-II”—Khoa Vu, David Zier—ECE 679, Advanced Cryptography, Oregon State University, Spring 2003.